[ZEPPELIN-2769] Prevent SQL injection for GetUserList.getUserList. ### What is this PR for? Prevent SQL injection for ```GetUserList.getUserList```.
### What type of PR is it? Improvement ### What is the Jira issue? https://issues.apache.org/jira/browse/ZEPPELIN-2769 Author: Yanbo Liang <[email protected]> Closes #2487 from yanboliang/zeppelin-2769 and squashes the following commits: d1a7ff9b [Yanbo Liang] Prevent SQL injection for GetUserList.getUserList. Project: http://git-wip-us.apache.org/repos/asf/zeppelin/repo Commit: http://git-wip-us.apache.org/repos/asf/zeppelin/commit/4a0a6bfc Tree: http://git-wip-us.apache.org/repos/asf/zeppelin/tree/4a0a6bfc Diff: http://git-wip-us.apache.org/repos/asf/zeppelin/diff/4a0a6bfc Branch: refs/heads/branch-0.7 Commit: 4a0a6bfc43ea69121f5a4dc49b63d931a45d2d8e Parents: d2907b5 Author: Yanbo Liang <[email protected]> Authored: Wed Jul 12 15:25:05 2017 +0800 Committer: Prabhjyot Singh <[email protected]> Committed: Tue Aug 15 11:08:45 2017 -0700 ---------------------------------------------------------------------- .../src/main/java/org/apache/zeppelin/rest/GetUserList.java | 4 +++- 1 file changed, 3 insertions(+), 1 deletion(-) ---------------------------------------------------------------------- http://git-wip-us.apache.org/repos/asf/zeppelin/blob/4a0a6bfc/zeppelin-server/src/main/java/org/apache/zeppelin/rest/GetUserList.java ---------------------------------------------------------------------- diff --git a/zeppelin-server/src/main/java/org/apache/zeppelin/rest/GetUserList.java b/zeppelin-server/src/main/java/org/apache/zeppelin/rest/GetUserList.java index f0e3740..7452c93 100644 --- a/zeppelin-server/src/main/java/org/apache/zeppelin/rest/GetUserList.java +++ b/zeppelin-server/src/main/java/org/apache/zeppelin/rest/GetUserList.java @@ -231,7 +231,7 @@ public class GetUserList { return userlist; } - userquery = "select " + username + " from " + tablename; + userquery = "select ? from ?"; } catch (IllegalAccessException e) { LOG.error("Error while accessing dataSource for JDBC Realm", e); @@ -241,6 +241,8 @@ public class GetUserList { try { Connection con = dataSource.getConnection(); ps = con.prepareStatement(userquery); + ps.setString(1, username); + ps.setString(2, tablename); rs = ps.executeQuery(); while (rs.next()) { userlist.add(rs.getString(1).trim());
